Configuring RADIUS

Overview

Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that uses a client/server model to implement AAA. It can protect networks against unauthorized access and is often used in network environments that require both high security and remote user access. For more information about AAA, see "Configuring AAA."

RADIUS uses UDP port 1812 for authentication and UDP port 1813 for accounting.

RADIUS was originally designed for dial-in user access. With the addition of new access methods, RADIUS has been extended to support additional access methods, including Ethernet and ADSL. RADIUS provides access authentication, authorization, and accounting services. The accounting function collects and records network resource usage information.

Client/server model

RADIUS clients run on NASs located throughout the network. NASs pass user information to RADIUS servers, and determine to reject or accept user access requests depending on the responses from RADIUS servers.

The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access. It receives connection requests, authenticates users, and returns access control information (for example, rejecting or accepting the user access request) to the clients.

The RADIUS server typically maintains the following databases: Users, Clients, and Dictionary. See Figure 346.

Figure 346 RADIUS server databases

Users—Stores user information such as usernames, passwords, applied protocols, and IP addresses.

Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.

Dictionary—Stores RADIUS protocol attributes and their values.

363